Unifi LetsEncrypt setup

PortChangeNotes.md

Edit /etc/nginx/sites-enabled/cloudkey-webui to move the listen 443 to listen 1443

Add the following server block to the nginx config:

server {
        listen [::]:443 ssl ipv6only=off;
        ssl_protocols TLSv1.2;

        ssl_certificate /root/.acme.sh/controller.infra.home.a-rwx.org/controller.infra.home.a-rwx.org.cer;
        ssl_certificate_key /root/.acme.sh/controller.infra.home.a-rwx.org/controller.infra.home.a-rwx.org.key;

        location / {
                proxy_pass https://localhost:8443;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header Host $host;
        }
}

Renew.sh

#!/usr/bin/env bash

set -xeuo pipefail

export CERT_NAME=controller.infra.home.a-rwx.org

/opt/acme/acme.sh --renew --domain "$CERT_NAME" 
service nginx restart

Setup.sh

export CERT_NAME=controller.infra.home.a-rwx.org
export ALIAS_NAME=controller.infra.home.certs.a-rwx.org

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_ZONE_ID=

apt update
apt install -y git
git clone https://github.com/akerl/acme.sh /opt/acme

/opt/acme/acme.sh --issue --domain "$CERT_NAME" --dns dns_aws --challenge-alias "$ALIAS_NAME"
/opt/acme/acme.sh --deploy --domain "$CERT_NAME" --deploy-hook unifi

sed -i "s|/etc/ssl/private/cloudkey.crt|/root/.acme.sh/${CERT_NAME}/${CERT_NAME}.cer|" /etc/nginx/sites-enabled/cloudkey-webui
sed -i "s|/etc/ssl/private/cloudkey.key|/root/.acme.sh/${CERT_NAME}/${CERT_NAME}.key|" /etc/nginx/sites-enabled/cloudkey-webui
service nginx restart